PII in Your Logs Is a GDPR Time Bomb - Here's How to Defuse It

Your application is probably logging PII right now. Not maliciously - it happens naturally. A user submits a form with their email. Your framework logs the full request body for debugging. The email lands in CloudWatch, Datadog, or your ELK cluster. It sits there for 90 days, or 365, or however long your retention policy says. Under GDPR, that's a data breach waiting for a complaint. Under HIPAA, it's a violation. Under any audit, it's a finding. The fix isn't "tell developers to be careful." Developers are already careful - until they're debugging a production incident at 2am and add a quick console.log(request.body). The fix is a masking layer that runs automatically, before any log hits storage. This article is about building that layer in Node.js. What PII Actually Looks Like in Logs Before masking, you need to know what you're masking. PII in logs shows up in three forms: Structured fields - JSON payloads where the key makes the value obvious: { "email": "[email protected]", "pass